Tracking Devious Phishing Websites

Tracking Devious Phishing Websites

Gone phishing: Researchers from Indiana University–left to right, Andrew Kalafut, Youngsang Shin, and Minaxi Gupta–are studying a trick used to make phishing sites harder to detect and block.

In the world of online fraud, as in real life, the longer miscreants can operate without being caught, the more money they stand to make. And experts have discovered that many phishers–crooks who use fake websites to trick users into giving up valuable personal information–have found a trick that makes it harder for the good guys to block or shut them down.

The trick, dubbed “flux,” allows a fake site to change its address on the Internet very quickly, making it hard for defenders to block these sites or warn unsuspecting users. According to research recently published in the journal IEEE Security and Privacy, about 10 percent of phishing sites are using flux to hide themselves.

Flux makes use of the Internet’s domain name system, which is responsible for matching a Web address typed into a browser with the server that actually hosts a site. When a user tries to visit a Web page, the domain name system first directs the user to a name server, which maintains an up-to-date list of site addresses. This name server then tells the user’s browser where to find the desired site.

Normally, only a small number of machines host copies of a site–just enough to keep it going if something goes wrong. Fraudulent sites, however, are a different story. Phishing sites are often hosted through botnets–thousands of hijacked machines distributed across the globe.

“These machines don’t belong to the miscreants, they belong to you and I and our grandmothers,” says Minaxi Gupta, an assistant professor of computer science at Indiana University who was involved with the research. Because phishers have access to so many machines, she explains, they can use all of them to move a site around rapidly, throwing defenders off the scent while keeping the website available.

To use flux, a phisher needs to control a domain name, which gives him the right to control its name server. The phisher then sets the name server so that it directs each new visitor to a different set of machines, cycling quickly through the thousands of addresses available within the botnet. Gupta notes that flux is most effective when the phisher shifts the location of the name server as well. If the name server is also moving to different locations on the Internet, it’s doubly hard for defenders to pinpoint a central location where the fake website can be shut down. Gupta’s group found that 83 percent of phishing sites that used flux this way lasted more than a day before being blocked, compared with a 65 percent survival rate for sites that didn’t use flux.